RDP and VPN Remain Top Ransomware Attack Pathways

An analysis of chat logs from the Black Basta ransomware group revealed that its members utilized nearly 3,000 unique credentials to infiltrate various corporate networks.  

Their primary targets were remote-desktop software and virtual private networks (VPNs), including Microsoft's Remote Desktop Web Access, Palo Alto's Global Protect, and Cisco's VPN services. By compromising these services, attackers gained entry into corporate networks, facilitating data theft and ransomware deployment, DarkReading reports.

Researchers emphasized that obtaining such credentials—especially when multi-factor authentication (MFA) is absent or bypassed—provides threat actors with a foothold into an organization's network. This access allows them to expand their reach using various tools and reconnaissance methods.  

Researchers observed Black Basta members actively seeking login credentials for VPN and remote access portals, underscoring their intent to exploit these entry points.  

This tactic is not unique to Black Basta; ransomware groups commonly exploit remote access credentials and vulnerable internet-facing portals. A report by a major cyber insurer found that two-thirds of businesses have at least one exposed login panel, making them three times more susceptible to ransomware incidents. Among the claims processed by the insurer, 45% involved VPN appliances, and 23% pertained to remote desktop software.  

Researchers highlighted the risks associated with exposing sensitive services through poorly configured web login panels. These panels can grant administrative access, allowing threat actors to modify software versions, adjust firewall rules, or disable functionalities.  

Administration panels for products from Cisco, SonicWall, Palo Alto Networks, Fortinet, and Citrix constitute about half of the over 5 million internet-exposed remote management solutions and login panels.  

The report also noted that VPN and Remote Desktop Protocol (RDP) services are prevalent initial access vectors in ransomware attacks. While VPNs should be secured and monitored, experts advise against exposing RDP services to the internet due to their high compromise rate.

The findings indicate that approximately one in six companies applying for cyber insurance had five or more publicly accessible login panels. Exposed panels are susceptible to credential-spraying attacks and the use of stolen credentials, with compromised credentials accounting for 47% of initial access in analyzed ransomware claims, and software exploits comprising 29%.

Takeaway: In addition to exploiting Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) instances, ransomware operators employ various tactics to infiltrate target networks for initial access, to move laterally within networks, and to execute malicious code remotely.  

Phishing and other social engineering attacks are also prevalent infection pathways. Cybercriminals craft emails or messages designed to deceive recipients into clicking malicious links, opening infected attachments, or divulging sensitive information such as login credentials. Once inside the network, attackers may further exploit social engineering techniques to escalate privileges, targeting high-level accounts like network administrators and executives.  

Another common method involves compromising software downloads. Attackers infiltrate legitimate software vendors to distribute malware through authentic software updates, a tactic exemplified by the Kaseya supply chain attack. In this incident, the ransomware group exploited a vulnerability in Kaseya's remote management service, leading to widespread compromise among its customers.  

Exploiting zero-day and unpatched vulnerabilities is a significant concern. Organizations often delay applying patches due to potential disruptions or compatibility issues, leaving systems exposed. Attackers capitalize on these unpatched vulnerabilities to gain unauthorized access, emphasizing the critical need for timely and effective patch management strategies.  

Brute-forcing and utilizing stolen authentication credentials remain effective tactics. Attackers employ automated tools to guess passwords or purchase compromised credentials from dark web marketplaces. The widespread issue of password reuse across multiple platforms further exacerbates this vulnerability, underscoring the importance of robust password policies and multi-factor authentication.  

Additionally, ransomware groups are adept at bypassing endpoint security tools. They employ techniques like "universal unhooking" to hijack execution flows, deploy rootkits, and obfuscate malicious activities, effectively rendering endpoint protection measures ineffective. This highlights the necessity for advanced detection mechanisms and continuous monitoring to identify and mitigate such sophisticated threats.  

Network, system, and software misconfigurations also present significant risks. Even minor errors in configurations can expose applications or entire networks to attacks. Proper configuration management and regular security assessments are essential to identify and rectify these vulnerabilities.  

Lastly, attackers often leverage legitimate network tools, such as Cobalt Strike and Mimikatz, to facilitate their operations. By using tools already present in the network, they reduce the likelihood of detection and eliminate the need to develop custom malware, making their activities more covert and challenging to identify.  

Understanding these infection pathways is crucial for organizations to implement effective cybersecurity measures and protect against ransomware threats.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.